Vendor Deliverables. The following items are to be provided by the vendor:
Vendor Deliverables. The following items are to be provided by the vendor prior to the Contract finalization: • OCHCA Security Requirements and Guidelines for Application Vendors and Application Service Providers - Questionnaire • Vendor risk acceptance / compliance statement • Business Continuity Plan Summary (as related to service provided) • ISO SOX compliance certificate (if applicable) • Security Waiver form (if applicable) • IT Security Staff Usage Policy • IT Security Policies and Procedures • IT Operations Security Policy • Data Management Security Policy • Security Incident Notification and Management Process • Security Contact Identification (24x7x365) • Staff Related Items o Pre-Employment Screening Policy/Procedure o Background Checking Procedure o Ongoing Employment Status Validation Process o Staff Roster and Duties EXHIBIT 1 COUNTY OF ORANGE CHILD SUPPORT ENFORCEMENT REQUIREMENTS In order to enhance the child support collection efforts of the County of Orange Child Support Services, all contractors are required to provide the following information as listed on the attached form: • If the Contractor is an individual contractor: Name, date of birth, social security number, and residence address. • If Contractor is doing business in a form other than as an individual: Name, date of birth, social security number, and residence address of each individual who owns an interest of ten
Vendor Deliverables. The following items are to be provided by the vendor: ▪ OCHCA Security Requirements and Guidelines for Application Vendors and Application Service Providers - Questionnaire ▪ Business Continuity Plan Summary (as related to service provided) ▪ SSAE 18 SOC 2 Type 2 or SOC 3 compliance certificate • Network Diagram that demonstrates vendor network and application segmentation including the security controls in place to protect HCA data • IT Security Staff Usage Policy • IT Security Policies and Procedures • IT Operations Security Policy • Data Management Security Policy • Security Incident Notification and Management Process • Security Contact Identification (24x7x365)
Vendor Deliverables. The following items are to be provided by the vendor: ▪ OCHCA Security Requirements and Guidelines for Application Vendors and Application Service Providers - Questionnaire ▪ Business Continuity Plan Summary (as related to service provided) ▪ SSAE 18 SOC 2 Type 2 or SOC 3 compliance certificate • Network Diagram that demonstrates vendor network and application segmentation including the security controls in place to protect HCA data • IT Security Staff Usage Policy • IT Security Policies and Procedures • IT Operations Security Policy • Data Management Security Policy • Security Incident Notification and Management Process • Security Contact Identification (24x7x365) ▪ Staff Related Items o Pre-Employment Screening Policy/Procedure o Background Checking Procedure o Ongoing Employment Status Validation Process
Vendor Deliverables. The following items are to be provided by the vendor prior to the contract finalization: ▪ OCHCA Security Requirements and Guidelines for Application Vendors and Application Service Providers - Questionnaire ▪ Business Continuity Plan Summary (as related to service provided) ▪ SSAE 16 SOC 2 Type 2 or SSAE 16 SOC 1 Type 2 compliance certificate (if applicable) • Network Diagram that demonstrates vendor network and application segmentation including the security controls in place to protect HCA data • IT Security Staff Usage Policy • IT Security Policies and Procedures • IT Operations Security Policy • Data Management Security Policy • Security Incident Notification and Management Process • Security Contact Identification (24x7x365) ▪ Staff Related Items o Pre-Employment Screening Policy/Procedure o Background Checking Procedure o Ongoing Employment Status Validation Process DocuSign Envelope ID: 32AC7F38-40B4-4FD7-9103-57D01A9AA5C7
Vendor Deliverables. The following items are to be provided by the vendor: County of Orange Health Care Agency Page 49 Contract MA-042-17011420 ▪ OCHCA Security Requirements and Guidelines for Application Vendors and Application Service Providers - Questionnaire ▪ Business Continuity Plan Summary (as related to service provided) • Network Diagram that demonstrates vendor network and application segmentation including the security controls in place to protect HCA data • IT Security Staff Usage Policy • IT Security Policies and Procedures • IT Operations Security Policy • Data Management Security Policy • Security Incident Notification and Management Process • Security Contact Identification (24x7x365) ▪ Staff Related Items o Pre-Employment Screening Policy/Procedure o Background Checking Procedure o Ongoing Employment Status Validation Process o Staff Roster and Duties
Vendor Deliverables. The following items are to be provided by the vendor: County of Orange Page 52 of 53 MA-042-19011809 Health Care Agency File Folder No. C018820 ▪ OCHCA Security Requirements and Guidelines for Application Vendors and Application Service Providers - Questionnaire ▪ Business Continuity Plan Summary (as related to service provided) ▪ SSAE 18 SOC 2 Type 2 or SOC 3 compliance certificate • Network Diagram that demonstrates vendor network and application segmentation including the security controls in place to protect HCA data • IT Security Staff Usage Policy • IT Security Policies and Procedures • IT Operations Security Policy • Data Management Security Policy • Security Incident Notification and Management Process • Security Contact Identification (24x7x365) ▪ Staff Related Items o Pre-Employment Screening Policy/Procedure o Background Checking Procedure o Ongoing Employment Status Validation Process o Staff Roster and Duties County of Orange Page 53 of 53 MA-042-19011809
Vendor Deliverables. The following items are to be provided by the vendor: OCHCA Security Requirements and Guidelines for Application Vendors and Application Service Providers - Questionnaire Business Continuity Plan Summary (as related to service provided) Network Diagram that demonstrates vendor network and application segmentation including the security controls in place to protect HCA data IT Security Staff Usage Policy IT Security Policies and Procedures IT Operations Security Policy Data Management Security Policy Security Incident Notification and Management Process Security Contact Identification (24x7x365) Staff Related Items o Pre-Employment Screening Policy/Procedure o Background Checking Procedure o Ongoing Employment Status Validation Process
Vendor Deliverables. A. All deliverables shall meet the following criteria:
Vendor Deliverables. County of Orange Page 40 of 53 MA-042-19011809 Health Care Agency File Folder No. C018820 1 Overview Security Requirements and Guidelines for Application Vendors and Application Service Providers This document provides a high-level overview of application security related guidelines and requirements set forth by the Orange County Health Care Agency (OCHCA), and applies to both software vendors for County-implemented applications and application service providers who provide hosted services. These requirements and guidelines are consistent with regulatory privacy and security requirements and guidelines as well as supportive of OCHCA’s position and practices on risk management in terms of appropriately safeguarding OCHCA’s information assets. The sections below are comprehensive and may apply in whole or in part based on specific implementation and scope of work. The expectation is that vendors will comply with relevant sections, as necessary. This information will be reviewed, validated and documented by OCHCA Security prior to any contract being finalized. Vendors are required to comply with all existing legal and regulatory requirements as they relate to OCHCA’s systems and data. Example of regulations, rules and laws include, but are not limited to, the Health Insurance Portability and Accountability Act (HIPAA), Senate Bill 1386, Payment Card Industry (PCI) Data Security Standards, and Xxxxxxxx- Xxxxx (SOX). Vendors must also commit to ensuring compliance with all future local, state and federal laws and regulations related to privacy and security as they pertain to the application or service.
